If you don't want to mess with SeLinux or similar software, you can try the old chroot jail method that was once used for things like FTP servers. The jail should be able to contain the Windows security risk problem. The chroot jail method was eventually discovered to be not entirely secure, but I doubt that any Windows malware would know how to bypass the jail.
